CN103152343B

CN103152343B - Set up method and the network equipment in internet security Protocol virtual private network tunnel

Info

Publication number: CN103152343B
Application number: CN201310068073.XA
Authority: CN
Inventors: 吕翀昊
Original assignee: NSFOCUS Information Technology Co Ltd; Beijing NSFocus Information Security Technology Co Ltd
Current assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Priority date: 2013-03-04
Filing date: 2013-03-04
Publication date: 2015-09-16
Anticipated expiration: 2033-03-04
Also published as: CN103152343A

Abstract

The invention provides a kind of method and the network equipment of setting up IPsec vpn tunneling.The method comprises: first network equipment sends the negotiation request message of carrying and consulting mark to second network equipment, and receive the negotiate response message of carrying the result returned, be verified if the result represents, then to second network equipment send carry the mark of multiple subnet informations at first network equipment and second network equipment place set up TUNNEL request message, and receive the response message carrying the result returned, consult successfully if the result represents, then by multiple subnet information at first network equipment place with ask the mark in the tunnel set up to map.Method and the network equipment setting up IPsec vpn tunneling provided by the invention, by setting up in TUNNEL request message the mark of carrying first and second network equipments, making to set up wall scroll tunnel just can corresponding multipair subnet, decreases workload and the network traffics of network manager.

Description

Set up method and the network equipment in internet security Protocol virtual private network tunnel

Technical field

The present invention relates to communication technical field, particularly relate to a kind of method and the network equipment of setting up internet security Protocol virtual private network tunnel.

Background technology

Virtual Private Network (Virtual Private Network, being called for short VPN) technology is by setting up privately owned logical network on public physical network (being generally the Internet Inetenet), make can freely, safely mutually access between the network node in LAN, as being located in same local area network (LAN).

Internet security agreement (Internet Protocol Security, be called for short IPsec) be in extensive range, an open VPN security protocol system, comprise network authentication (Authentication Header, be called for short AH) agreement, ESP (Encapsulating Security Payload, be called for short ESP) agreement, internet key management (Internet Key Exchange, be called for short IKE) agreement etc., IPsec agreement can be run under tunnel mode or transmission mode.

The foundation of internet security Protocol virtual private network IPsec vpn tunneling can be applied between gateway and gateway or between gateway and mobile client etc., for between gateway and gateway, namely between two gateways, tunnel is set up by IKE agreement, can by this tunnel freely, mutually access safely between the network node in two that two gateways are connected different local area network (LAN)s.

In prior art, consult to set up in the process of IPsec vpn tunneling at employing standard I KE, two network elements setting up tunnel exchange respective Identity Code (Identity is called for short ID) each other, the IP subnet of prescribed form, IP address or IP address field etc. during ID can use standard I KE to consult.

But at least there is following defect in prior art: a pair IP subnet, IP address or IP address field etc. can only be protected in a tunnel; when having multipair IP subnet, IP address or IP address field etc. to need to protect between two network elements setting up tunnel; many tunnels need be set up; add the workload of network manager; and if tunnel enables inefficacy peer-to-peer and detects (Dead Peer Detection; be called for short DPD) function; namely timing sends packet to two network elements setting up tunnel; detect it whether to survive, then set up many tunnels and add network traffics.

Summary of the invention

The invention provides a kind of method and the network equipment of setting up internet security Protocol virtual private network tunnel; in order to solve exist in prior art have between two network elements setting up tunnel multipair IP subnet, IP address or IP address field etc. need protection time; many tunnels need be set up, add the workload of network manager and the problem of network traffics.

On the one hand, the invention provides a kind of method setting up internet security Protocol virtual private network tunnel, comprising:

First network equipment sends negotiation request message to second network equipment, carry in described negotiation request message and consult mark, described mark of consulting is used to indicate the tunnel correspondence multiple subnet at described first network equipment place and multiple subnets at corresponding described second network equipment place set up TUNNEL request message institute and ask to set up;

Described first network equipment receives the negotiate response message to described negotiation request message that described second network equipment sends, and carries described second network equipment according to described the first the result consulted mark and carry out verifying in described negotiate response message;

If described first the result represents be verified, then described first network equipment sets up TUNNEL request message to described second network equipment transmission is described, the described mark setting up in TUNNEL request message mark and the described second network equipment carrying described first network equipment, the mark of described first network equipment is for identifying multiple subnet informations at described first network equipment place, and the mark of described second network equipment is for identifying multiple subnet informations at described second network equipment place;

Described first network equipment receive that described second network equipment sends to the described response message setting up TUNNEL request message, carry the second the result that described second network equipment carries out according to the mark of the mark of described first network equipment and described second network equipment verifying in described response message;

Consult successfully if described second the result represents, then described first network equipment by multiple subnet information at described first network equipment and described second network equipment place and described set up TUNNEL request message ask the mark in the tunnel set up to map.

On the other hand, present invention also offers a kind of method setting up internet security Protocol virtual private network tunnel, comprising:

Second network equipment receives the negotiation request message that first network equipment sends, carry in described negotiation request message and consult mark, described mark of consulting is used to indicate the tunnel correspondence multiple subnet at described first network equipment place and multiple subnets at corresponding described second network equipment place set up TUNNEL request message institute and ask to set up;

Described second network equipment is verified according to described negotiation mark, obtains the first the result;

Described second network equipment sends the negotiate response message to described negotiation request message to described first network equipment, carries described first the result in described negotiate response message;

If described first the result represents be verified, then described second network equipment receives the described of described first network equipment transmission and sets up TUNNEL request message, the described mark setting up in TUNNEL request message mark and the described second network equipment carrying described first network equipment, the mark of described first network equipment is for identifying multiple subnet informations at described first network equipment place, and the mark of described second network equipment is for identifying multiple subnet informations at described second network equipment place;

Described second network equipment is verified according to the mark of the mark of described first network equipment and described second network equipment, obtains the second the result; Described second network equipment sends the described response message setting up TUNNEL request message to described first network equipment, carries described second the result in described response message;

Consult successfully if described second the result represents, then described second network equipment by multiple subnet information at described first network equipment and described second network equipment place and described set up TUNNEL request message ask the mark in the tunnel set up to map.

On the other hand, present invention also offers a kind of network equipment, comprising:

First sending module, for sending negotiation request message to second network equipment, carry in described negotiation request message and consult mark, described mark of consulting is used to indicate the tunnel correspondence multiple subnet at described network equipment place and multiple subnets at corresponding described second network equipment place set up TUNNEL request message institute and ask to set up;

First receiver module, for receiving the negotiate response message to described negotiation request message that described second network equipment sends, carries described second network equipment according to described the first the result consulted mark and carry out verifying in described negotiate response message;

Second sending module, if represent for described first the result and be verified, then set up TUNNEL request message to described second network equipment transmission is described, the described mark setting up in TUNNEL request message mark and the described second network equipment carrying the described network equipment, the mark of the described network equipment is for identifying multiple subnet informations at described network equipment place, and the mark of described second network equipment is for identifying multiple subnet informations at described second network equipment place;

Second receiver module, for receive that described second network equipment sends to the described response message setting up TUNNEL request message, carry the second the result that described second network equipment carries out according to the mark of the mark of the described network equipment and described second network equipment verifying in described response message;

First mapping block, consults successfully if represent for described second the result, then by multiple subnet information at the described network equipment and described second network equipment place and described set up TUNNEL request message ask the mark in the tunnel set up to map.

3rd receiver module, for receiving the negotiation request message that first network equipment sends, carry in described negotiation request message and consult mark, described mark of consulting is used to indicate the tunnel correspondence multiple subnet at described first network equipment place and multiple subnets at corresponding described network equipment place set up TUNNEL request message institute and ask to set up;

First authentication module, for verifying according to described negotiation mark, obtains the first the result;

3rd sending module, for sending the negotiate response message to described negotiation request message to described first network equipment, carries described first the result in described negotiate response message;

4th receiver module, if represent for described first the result and be verified, then receive the described of described first network equipment transmission and set up TUNNEL request message, described foundation in TUNNEL request message carries the mark of described first network equipment and the mark of the described network equipment, the mark of described first network equipment is for identifying multiple subnet informations at described first network equipment place, and the mark of the described network equipment is for identifying multiple subnet informations at described network equipment place;

Second authentication module, for verifying according to the mark of described first network equipment and the mark of the described network equipment, obtains the second the result;

4th sending module, for sending the described response message setting up TUNNEL request message to described first network equipment, carries described second the result in described response message;

Second mapping block, consults successfully if represent for described second the result, then by multiple subnet information at described first network equipment and described network equipment place and described set up TUNNEL request message ask the mark in the tunnel set up to map.

Method and the network equipment setting up internet security Protocol virtual private network tunnel provided by the invention, set up in TUNNEL request message by what send at first network equipment, carry the mark of the mark of multiple subnet informations at first network equipment place and multiple subnet informations at second network equipment place, and by multiple subnet information at first network equipment and second network equipment place and described set up TUNNEL request message ask the mark in the tunnel set up to map, making to set up wall scroll tunnel between two network equipments just can corresponding multipair subnet, decrease workload and the network traffics of network manager.

Accompanying drawing explanation

Fig. 1 is the schematic flow sheet that the present invention sets up a method embodiment in internet security Protocol virtual private network tunnel;

Fig. 2 is the schematic diagram of a kind of typical apply scene embodiment illustrated in fig. 1;

Fig. 3 is the schematic flow sheet that the present invention sets up another embodiment of method in internet security Protocol virtual private network tunnel;

Fig. 4 is the schematic flow sheet that the present invention sets up another embodiment of method in internet security Protocol virtual private network tunnel;

Fig. 5 is the schematic diagram adopting existing standard I KE to consult to set up many tunnels;

Fig. 6 is the schematic diagram adopting method establishment wall scroll tunnel embodiment illustrated in fig. 4;

Fig. 7 is the structural representation of a network equipment of the present invention embodiment;

Fig. 8 is the structural representation of another embodiment of the network equipment of the present invention.

Embodiment

Below by specific embodiment and accompanying drawing, technical scheme of the present invention is described in further detail.

Fig. 1 is the schematic flow sheet that the present invention sets up a method embodiment in internet security Protocol virtual private network tunnel.As shown in Figure 1, the present embodiment describes technical scheme of the present invention in detail the initiator and first network equipment side that set up internet security Protocol virtual private network IPsecVPN tunnel, and the executive agent setting up the method for IPsec vpn tunneling that is the present embodiment provides is first network equipment.The method specifically can comprise:

S101, first network equipment sends negotiation request message to second network equipment, carry in negotiation request message and consult mark, consult mark and be used to indicate the tunnel correspondence multiple subnet at first network equipment place and multiple subnets at corresponding second network equipment place set up TUNNEL request message institute and ask to set up;

Concrete, first network equipment and second network equipment are respectively the initiator and responder that set up IPsec vpn tunneling, and the two can be gateway, or, one in the two is gateway, and another is mobile client etc., and concrete enforcement scene and device type do not make restriction at this.Fig. 2 is the schematic diagram of a kind of typical apply scene embodiment illustrated in fig. 1, as shown in Figure 2, gateway is for first network equipment and second network equipment, distinguished with gateway 1 and gateway 2 respectively in the present embodiment, gateway 1 and gateway 2 lay respectively at different local area network (LAN)s (such as: gateway 1 is positioned at local area network (LAN) 1, gateway 2 is positioned at local area network (LAN) 2), by setting up internet security Protocol virtual private network IPsec vpn tunneling between gateway 1 and gateway 2, can be free between the main frame making originally to belong to LAN (local area network (LAN) 1 and local area network (LAN) 2), the mutual access of safety, seem just as being arranged in same local area network (LAN).Wherein, the identification of the manufacturer that mark is specifically as follows first network equipment is consulted.

S102, first network equipment receives the negotiate response message to negotiation request message that second network equipment sends, and carries second network equipment and identify according to consulting the first the result carrying out verifying in negotiate response message;

Concrete, to consult the identification of the manufacturer being designated first network equipment, when the identification of the manufacturer of self carried in the negotiation request message that first network equipment sends is consistent with the identification of the manufacturer of second network equipment, the first the result carried in the negotiate response message that the second network equipment that first network equipment receives sends, be verified for representing, then continue to perform step S103.

S103, if the first the result represents be verified, then first network equipment sends to second network equipment and sets up TUNNEL request message, set up in TUNNEL request message the mark of mark and the second network equipment carrying first network equipment, the mark of first network equipment is for identifying multiple subnet informations at first network equipment place, and the mark of second network equipment is for identifying multiple subnet informations at second network equipment place;

Concrete, the mark setting up in TUNNEL request message mark and the pre-configured second network equipment carrying self that first network equipment sends to second network equipment, may be used on the one hand the identity of second network device authentication oneself, may be used on the other hand identifying and need carry out by tunnel each subnet pair of communicating.Concrete, can comprise in the mark of first network equipment: multiple IP address field information at multiple subnet informations at first network equipment place, multiple IP address information at first network equipment place or first network equipment place, multiple subnet informations that the present embodiment comprises first network equipment place for the mark of first network equipment are described.Concrete, can comprise in the mark of first network equipment: the IP subnet address information of the number information of multiple subnets at first network equipment place, each subnet at first network equipment place and subnet mask information;

Accordingly, can comprise in the mark of second network equipment: multiple IP address field information at multiple subnet informations at second network equipment place, multiple IP address information at second network equipment place or second network equipment place, multiple subnet informations that the present embodiment comprises second network equipment place for the mark of second network equipment are described.Concrete, can comprise in the mark of second network equipment: the IP subnet address information of the number information of multiple subnets at second network equipment place, each subnet at second network equipment place and subnet mask information.Optionally, by the corresponding order of the information of each subnet at first network equipment place in the order of information of each subnet at second network equipment place in the mark of second network equipment and the mark of first network equipment, the corresponding relation of any one subnet of first network equipment and a subnet of second network equipment can be determined.Such as: the order of a pair subnet in the mark of second network equipment and the mark of first network equipment of needs communication can be consistent.

S104, first network equipment receive that second network equipment sends to the response message setting up TUNNEL request message, carry the second the result that second network equipment carries out according to the mark of the mark of first network equipment and second network equipment verifying in response message;

Concrete, when the mark setting up the mark of self and the pre-configured second network equipment carried in TUNNEL request message that first network equipment sends, time consistent with the mark of first network equipment pre-configured in second network equipment and the mark of self, the second the result carried in the response message that the second network equipment that first network equipment receives sends, for representing being verified first network equipment, consult successfully, then continue to perform step 105.Accordingly, when the mark setting up the mark of self and the pre-configured second network equipment carried in TUNNEL request message that first network equipment sends, with the mark of first network equipment pre-configured in second network equipment and the mark of self inconsistent time, the second the result carried in the response message that the second network equipment that first network equipment receives sends, for representing, the checking of first network equipment is not passed through, fail to consultations, then terminate to set up tunneling process.

S105, consults successfully if the second the result represents, then first network equipment by multiple subnet information at first network equipment and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map.

Concrete, first network equipment by multiple subnet information at self and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, and mapping relations are recorded in this locality, realize the multipair subnet at the corresponding first network equipment in wall scroll tunnel and second network equipment place.

The method in what the present embodiment provided set up internet security Protocol virtual private network tunnel, set up in TUNNEL request message by what send at first network equipment, carry the mark of the mark of multiple subnet informations at first network equipment place and multiple subnet informations at second network equipment place, and by multiple subnet information at first network equipment and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, making to set up wall scroll tunnel between two network equipments just can the multipair subnet at corresponding first network equipment and second network equipment place, decrease workload and the network traffics of network manager.

Fig. 3 is the schematic flow sheet that the present invention sets up another embodiment of method in internet security Protocol virtual private network tunnel.As shown in Figure 3, the present embodiment describes technical scheme of the present invention in detail the responder and second network equipment side that set up internet security Protocol virtual private network IPsec vpn tunneling, and the executive agent setting up the method for IPsec vpn tunneling that is the present embodiment provides is second network equipment.The method specifically can comprise:

S301, second network equipment receives the negotiation request message that first network equipment sends, carry in negotiation request message and consult mark, consult mark and be used to indicate the tunnel correspondence multiple subnet at first network equipment place and multiple subnets at corresponding second network equipment place set up TUNNEL request message institute and ask to set up;

Concrete, first network equipment and second network equipment are respectively the initiator and responder that set up IPsec vpn tunneling, and the two can be gateway, or, one in the two is gateway, and another is mobile client etc., and concrete enforcement scene and device type do not make restriction at this.Wherein, the identification of the manufacturer that mark is specifically as follows first network equipment is consulted.

S302, second network equipment is verified according to negotiation mark, obtains the first the result;

Concrete, the negotiation request message that second network equipment interconnection receives is resolved, obtain consulting mark, to consult the identification of the manufacturer being designated first network equipment, the identification of the manufacturer and the identification of the manufacturer of self of resolving the first network equipment obtained compare by second network equipment, and when the two is consistent, the first the result obtained is verified for representing, when the two is inconsistent, the first the result obtained is for representing that checking is not passed through.

S303, second network equipment sends the negotiate response message to negotiation request message to first network equipment, carries the first the result in negotiate response message;

Concrete, the first different the result that second network equipment obtains according to above-mentioned steps S302, the negotiate response message of carrying different first the result is sent to first network equipment, namely when the identification of the manufacturer of self carried in the negotiation request message that first network equipment sends is consistent with the identification of the manufacturer of second network equipment, second network equipment sends for representing the negotiate response message be verified to first network equipment, and continues to perform step S304.

S304, if the first the result represents be verified, what then second network equipment reception first network equipment sent sets up TUNNEL request message, set up in TUNNEL request message the mark of mark and the second network equipment carrying first network equipment, the mark of first network equipment is for identifying multiple subnet informations at first network equipment place, and the mark of second network equipment is for identifying multiple subnet informations at second network equipment place;

Concrete, the mark setting up in TUNNEL request message mark and the pre-configured second network equipment carrying first network equipment that the first network equipment that second network equipment receives sends, on the one hand may be used for verifying the identity of first network equipment, may be used on the other hand identifying and need carry out by tunnel each subnet pair of communicating.Concrete, can comprise in the mark of first network equipment: multiple IP address field information at multiple subnet informations at first network equipment place, multiple IP address information at first network equipment place or first network equipment place, multiple subnet informations that the present embodiment comprises first network equipment place for the mark of first network equipment are described.Concrete, can comprise in the mark of first network equipment: the IP subnet address information of the number information of multiple subnets at first network equipment place, each subnet at first network equipment place and subnet mask information;

S305, second network equipment is verified according to the mark of the mark of first network equipment and second network equipment, obtains the second the result;

Concrete, what second network equipment interconnection received set up TUNNEL request message resolves, obtain the mark of first network equipment and the mark of pre-configured second network equipment, second network equipment will resolve the mark of first network equipment and the mark of pre-configured second network equipment that obtain, mark and the mark of self of first network equipment pre-configured with self respectively compare, when two is all consistent to mark, the second the result obtained is for representing being verified first network equipment, consult successfully, when have a pair mark inconsistent or two all inconsistent to mark time, the second the result obtained does not pass through the checking of first network equipment for representing, fail to consultations.

S306, second network equipment sends the response message setting up TUNNEL request message to first network equipment, carries the second the result in response message;

Concrete, the second different the result that second network equipment obtains according to above-mentioned steps S305, the response message carrying different second the result is sent to first network equipment, namely the mark setting up the first network equipment carried in TUNNEL request message received when second network equipment and the mark of pre-configured second network equipment, time all consistent between two with the mark of self pre-configured first network equipment and the mark of self, second network equipment sends for representing the successful response message of negotiation to first network equipment; When have a pair mark inconsistent or two all inconsistent to mark time, second network equipment sends for representing the response message of failing to consultations to first network equipment, and terminates to set up tunneling process.

S307, consults successfully if the second the result represents, then second network equipment by multiple subnet information at first network equipment and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map.

Concrete, when the second the result that above-mentioned steps S305 obtains for represent consult successfully time, second network equipment by multiple subnet information at self and first network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, and mapping relations are recorded in this locality, realize the multipair subnet at the corresponding second network equipment in wall scroll tunnel and first network equipment place.

It should be noted that, the execution of above-mentioned steps S306 and S307 is without clear and definite sequencing.

The method in what the present embodiment provided set up internet security Protocol virtual private network tunnel, set up in TUNNEL request message by what send at first network equipment, carry the mark of the mark of multiple subnet informations at first network equipment place and multiple subnet informations at second network equipment place, and by multiple subnet information at second network equipment and first network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, making to set up wall scroll tunnel between two network equipments just can the multipair subnet at corresponding second network equipment and first network equipment place, decrease workload and the network traffics of network manager.

Fig. 4 is the schematic flow sheet that the present invention sets up another embodiment of method in internet security Protocol virtual private network tunnel.As shown in Figure 4, what the present embodiment described is above-mentioned Fig. 1 and the embodiment illustrated in fig. 3 detailed process setting up the method in internet security Protocol virtual private network tunnel, and the method specifically can comprise:

S401, first network equipment sends negotiation request message to second network equipment, carry in negotiation request message and consult mark, consult mark and be used to indicate the tunnel correspondence multiple subnet at first network equipment place and multiple subnets at corresponding second network equipment place set up TUNNEL request message institute and ask to set up;

S402, second network equipment is verified according to negotiation mark, obtains the first the result;

S403, second network equipment sends the negotiate response message to negotiation request message to first network equipment, carries the first the result in negotiate response message;

Concrete, the first different the result that second network equipment obtains according to above-mentioned steps S402, the negotiate response message of carrying different first the result is sent to first network equipment, namely when the identification of the manufacturer of self carried in the negotiation request message that first network equipment sends is consistent with the identification of the manufacturer of second network equipment, second network equipment sends for representing the negotiate response message be verified to first network equipment, and continues to perform step S405; When in the negotiation request message that first network equipment sends, the identification of the manufacturer of the identification of the manufacturer of self that carries and second network equipment is inconsistent, second network equipment sends for representing the negotiate response message that checking is not passed through to first network equipment, and performs step S404.

S404, if the first the result represents that checking is not passed through, then first network equipment and second network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.

Concrete, when first network equipment receive that second network equipment sends for after representing the negotiate response message that checking is not passed through, first network equipment sends negotiation request message to second network equipment again, do not carry in negotiation request message and consult mark, namely carry out existing standard I KE to consult, to ensure the compatibility of consulting standard I KE.

A complete ike negotiation process comprises two stages: first stage and second stage.

Above-mentioned steps S402-S403 consults to existing standard I KE the improvement that the first stage carries out, in order to the scheme of the present embodiment is better described, first introduce the first stage that existing standard I KE consults below: comprise holotype and long-pending progressive die formula, for holotype, it is mutual that both sides have tertiary information, as follows:

Initiator's (first network equipment) responder (second network equipment)

Wherein, the Article 1 message that initiator's (first network equipment) sends and negotiation request message, do not carry in negotiation request message and consult mark.Accordingly, the Article 1 message that responder's (second network equipment) sends and negotiate response message, do not carry in negotiate response message and consult mark.

The first stage of the ike negotiation after the present embodiment improves: for holotype, it is mutual that both sides have tertiary information, as follows:

Initiator's (first network equipment) responder (second network equipment)

Wherein, the Article 1 message that initiator's (first network equipment) sends and negotiation request message, corresponding above-mentioned steps S401, consults different from existing standard I KE, carry in negotiation request message and consult mark, consult the identification of the manufacturer MYID that mark can be first network equipment.Accordingly, the Article 1 message that responder's (second network equipment) sends and negotiate response message, concrete, after responder's (second network equipment) receives the negotiation request message of first network equipment transmission, judge that whether the identification of the manufacturer of the first network equipment carried in negotiation request message is consistent with the identification of the manufacturer of self, if consistent, then second network equipment sends negotiate response message to first network equipment, the first the result is carried in negotiate response message, be verified for representing, corresponding above-mentioned steps S402, S403, then continue to perform to consult identical with existing standard I KE, twice information interaction of first stage remainder, if inconsistent, then second network equipment sends negotiate response message to first network equipment, the first the result is carried in negotiate response message, for representing that checking is not passed through, then first network equipment can send negotiation request message to second network equipment again, do not carry in negotiation request message and consult mark, namely carry out existing standard I KE and consult (comprising first stage and second stage), ensure the compatibility of consulting with existing standard I KE.

S405, if the first the result represents be verified, then first network equipment sends to second network equipment and sets up TUNNEL request message, set up in TUNNEL request message the mark of mark and the second network equipment carrying first network equipment, the mark of first network equipment is for identifying multiple subnet informations at first network equipment place, and the mark of second network equipment is for identifying multiple subnet informations at second network equipment place;

Concrete, when first network equipment receive that second network equipment sends for after representing the negotiate response message that is verified, first network equipment to second network equipment send carry the mark of self and the mark of pre-configured second network equipment set up TUNNEL request message, may be used on the one hand the identity of second network device authentication oneself, may be used on the other hand identifying and need carry out by tunnel each subnet pair of communicating.Concrete, can comprise in the mark of first network equipment: multiple IP address field information at multiple subnet informations at first network equipment place, multiple IP address information at first network equipment place or first network equipment place, multiple subnet informations that the present embodiment comprises first network equipment place for the mark of first network equipment are described.Concrete, can comprise in the mark of first network equipment: the IP subnet address information of the number information of multiple subnets at first network equipment place, each subnet at first network equipment place and subnet mask information;

S406, second network equipment is verified according to the mark of the mark of first network equipment and second network equipment, obtains the second the result;

S407, second network equipment sends the response message setting up TUNNEL request message to first network equipment, carries the second the result in response message;

Concrete, the second different the result that second network equipment obtains according to above-mentioned steps S406, the response message carrying different second the result is sent to first network equipment, namely the mark setting up the first network equipment carried in TUNNEL request message received when second network equipment and the mark of pre-configured second network equipment, time all consistent between two with the mark of self pre-configured first network equipment and the mark of self, second network equipment sends for representing the successful response message of negotiation to first network equipment; When have a pair mark inconsistent or two all inconsistent to mark time, second network equipment sends for representing the response message of failing to consultations to first network equipment, and terminates to set up tunneling process.

S408, consults successfully if the second the result represents, then first network equipment by multiple subnet information at first network equipment and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map;

Concrete, when second network equipment that first network equipment receives send to set up the second the result of carrying in the response message of TUNNEL request message for represent consult successfully time, first network equipment by multiple subnet information at self and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, and mapping relations are recorded in this locality, realize the multipair subnet at the corresponding first network equipment in wall scroll tunnel and second network equipment place.

S409, consults successfully if the second the result represents, then second network equipment by multiple subnet information at first network equipment and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map.

Concrete, when the second the result that above-mentioned steps S406 obtains for represent consult successfully time, second network equipment by multiple subnet information at self and first network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, and mapping relations are recorded in this locality, realize the multipair subnet at the corresponding second network equipment in wall scroll tunnel and first network equipment place.

It should be noted that, the execution of above-mentioned steps S407 and S409 is without clear and definite sequencing.

After above-mentioned steps S408 and S409 completes, the subnet pair that the corresponding multiple subnet at first network equipment place in wall scroll tunnel and multiple subnets at second network equipment place form can be realized, the right corresponding relation of subnet, see the associated description in step S404, repeats no more herein.

Above-mentioned steps S405-S409 is the improvement carried out existing standard I KE negotiation second stage.The second stage of the ike negotiation after improvement: quick mode, as follows:

Initiator's (first network equipment) responder (second network equipment)

Wherein, namely the Article 1 message that initiator's (first network equipment) sends set up TUNNEL request message, corresponding above-mentioned steps S405, sets up in TUNNEL request message the mark IDcr of mark IDci and the second network equipment carrying first network equipment.Accordingly, the Article 1 message that responder's (second network equipment) sends is namely to the response message setting up TUNNEL request message, concrete, responder's (second network equipment) receive first network equipment send set up TUNNEL request message after, resolve according to established form, judge to set up the mark of the first network equipment carried in TUNNEL request message and the mark of pre-configured second network equipment, whether consistent with the mark of self with the mark of pre-configured first network equipment, corresponding above-mentioned steps S406; If two is all consistent to mark, then second network equipment sends the response message setting up TUNNEL request message to first network equipment, the second the result is carried in response message, consult successfully for representing, if fruit has a pair mark inconsistent or two all inconsistent to mark, then second network equipment sends the response message setting up TUNNEL request message to first network equipment, the second the result is carried in response message, fail to consultations for representing, and terminate to set up tunneling process, corresponding above-mentioned steps S407.

But with standard I KE consult unlike, the form setting up the mark IDci of the first network equipment carried in TUNNEL request message and the mark IDcr of second network equipment there occurs change.

Concrete, when using the IP subnet at first network equipment and second network equipment place separately as mark, for IP V4, during existing standard I KE consults, the form of IDci, IDcr is specially: front 4 byte representation IP subnet address, rear 4 byte representation subnet masks, totally 8 bytes.The form of IDci, IDcr defines wall scroll tunnel can only corresponding a pair subnet, when there being multipair subnet to need communication, need setting up many tunnels, causing the wasting of resources.Fig. 5 is the schematic diagram adopting existing standard I KE to consult to set up many tunnels.As shown in Figure 5, between the local area network (LAN) 1 at gateway 1 place and the local area network (LAN) 2 at gateway 2 place, need communication between the local area network (LAN) 3 at gateway 1 place and the local area network (LAN) 4 at gateway 2 place, then need set up two tunnels (tunnel 1 and tunnel 2) these two pairs of subnets corresponding respectively between gateway 1 and gateway 2.

In the present embodiment, the form of IDci, IDcr changes to: the information of the number of multiple subnets at front 4 byte representation first network equipment, second network equipment place, below every 8 byte representations subnet (is consulted identical with standard I KE, front 4 byte representation IP subnet address, rear 4 byte representation subnet masks, totally 8 bytes), such as, when two pairs of subnets need to communicate, IDci, IDcr comprise 4+8+8=20 byte.After the form of change IDci, IDcr, wall scroll tunnel can corresponding multipair subnet, when there being multipair subnet to need communication, only need setting up a tunnel, saving Internet resources.Fig. 6 is the schematic diagram adopting method establishment wall scroll tunnel embodiment illustrated in fig. 4.As shown in Figure 6, between the local area network (LAN) 1 at gateway 1 place and the local area network (LAN) 2 at gateway 2 place, need communication between the local area network (LAN) 3 at gateway 1 place and the local area network (LAN) 4 at gateway 2 place, only namely need set up a tunnel between gateway 1 and gateway 2 may correspond to this two pairs of subnets.

The method in what the present embodiment provided set up internet security Protocol virtual private network tunnel, when the identification of the manufacturer of first network equipment and second network equipment is inconsistent, carries out existing standard I KE and consults, ensure the compatibility of consulting standard I KE; When consistent, set up in TUNNEL request message by what send at first network equipment, carry the mark of the mark of multiple subnet informations at first network equipment place and multiple subnet informations at second network equipment place, and by multiple subnets at first network equipment and second network equipment place to information with set up TUNNEL request message ask the mark in the tunnel set up to map, make the wall scroll tunnel set up between two network equipments can corresponding multipair subnet, decrease workload and the network traffics of network manager.

Fig. 7 is the structural representation of a network equipment of the present invention embodiment.As shown in Figure 7, the network equipment corresponding diagram 1 of the present embodiment or embodiment illustrated in fig. 4 in first network equipment, this network equipment specifically can comprise: the first sending module 71, first receiver module 72, second sending module 73, second receiver module 74 and the first mapping block 75, wherein:

First sending module 71, for sending negotiation request message to second network equipment, carry in negotiation request message consult mark, consult mark be used to indicate set up TUNNEL request message institute ask foundation multiple subnet at map network equipment place, tunnel and multiple subnets at corresponding second network equipment place;

Concrete, this network equipment and second network equipment are respectively the initiator and responder that set up IPsec vpn tunneling, and the two can be gateway, or, one in the two is gateway, and another is mobile client etc., and concrete enforcement scene and device type do not make restriction at this.Wherein, the identification of the manufacturer that mark is specifically as follows this network equipment is consulted.

First receiver module 72, for receiving the negotiate response message to negotiation request message that second network equipment sends, carrying second network equipment and identifying according to consulting the first the result carrying out verifying in negotiate response message;

Concrete, to consult the identification of the manufacturer being designated this network equipment, when the identification of the manufacturer of self carried in the negotiation request message that the first sending module 71 in this network equipment sends is consistent with the identification of the manufacturer of second network equipment, the first the result carried in the negotiate response message that the second network equipment that the first receiver module 72 in this network equipment receives sends, is verified for representing; When in the negotiation request message that the first sending module 71 in this network equipment sends, the identification of the manufacturer of the identification of the manufacturer of self that carries and second network equipment is inconsistent, the first the result carried in the negotiate response message that the second network equipment that the first receiver module 72 in this network equipment receives sends, for representing that checking is not passed through.

Second sending module 73, if represent for the first the result and be verified, then send to second network equipment and set up TUNNEL request message, set up in TUNNEL request message the mark of mark and the second network equipment carrying the network equipment, the mark of the network equipment is used for multiple subnet informations at marked network equipment place, and the mark of second network equipment is for identifying multiple subnet informations at second network equipment place.

Concrete, when the first receiver module 72 in this network equipment receive that second network equipment sends for after representing the negotiate response message that is verified, the second sending module 73 in this network equipment to second network equipment send carry the mark of self and the mark of pre-configured second network equipment set up TUNNEL request message, may be used on the one hand the identity of second network device authentication oneself, may be used on the other hand identifying and need carry out by tunnel each subnet pair of communicating.Concrete, can comprise in the mark of this network equipment: multiple IP address field information at multiple subnet informations at this network equipment place, multiple IP address information at this network equipment place or this network equipment place, multiple subnet informations that the present embodiment comprises this network equipment place for the mark of this network equipment are described.Concrete, can comprise in the mark of this network equipment: the IP subnet address information of the number information of multiple subnets at this network equipment place, each subnet at this network equipment place and subnet mask information;

Accordingly, can comprise in the mark of second network equipment: multiple IP address field information at multiple subnet informations at second network equipment place, multiple IP address information at second network equipment place or second network equipment place, multiple subnet informations that the present embodiment comprises second network equipment place for the mark of second network equipment are described.Concrete, can comprise in the mark of second network equipment: the IP subnet address information of the number information of multiple subnets at second network equipment place, each subnet at second network equipment place and subnet mask information.Optionally, by the corresponding order of the information of each subnet at this network equipment place in the order of information of each subnet at second network equipment place in the mark of second network equipment and the mark of this network equipment, the corresponding relation of any one subnet of this network equipment and a subnet of second network equipment can be determined.Such as: the order of a pair subnet in the mark of second network equipment and the mark of this network equipment of needs communication can be consistent.

Second receiver module 74, for receive that second network equipment sends to the response message setting up TUNNEL request message, carry the second the result that second network equipment carries out according to the mark of the mark of the network equipment and second network equipment verifying in response message;

Concrete, when the mark setting up the mark of self and the pre-configured second network equipment carried in TUNNEL request message that the second sending module 73 in this network equipment sends, time consistent with the mark of this network equipment pre-configured in second network equipment and the mark of self, the second the result carried in the response message that the second network equipment that the second receiver module 74 in this network equipment receives sends, for representing being verified this network equipment, consult successfully.Accordingly, when the mark setting up the mark of self and the pre-configured second network equipment carried in TUNNEL request message that the second sending module 73 in this network equipment sends, with the mark of this network equipment pre-configured in second network equipment and the mark of self inconsistent time, the second the result carried in the response message that the second network equipment that the second receiver module 74 in this network equipment receives sends, for representing, the checking of this network equipment is not passed through, fail to consultations, then terminate to set up tunneling process.

First mapping block 75, consults successfully if represent for the second the result, then by multiple subnet information at the network equipment and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map.

Concrete, the first mapping block 75 in this network equipment by multiple subnet information at self and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, and mapping relations are recorded in this locality, realize wall scroll tunnel to should the multipair subnet at the network equipment and second network equipment place.

Further, first receiver module 72 can also be used for: after receiving the negotiate response message to negotiation request message of second network equipment transmission, if the first the result represents that checking is not passed through, then the network equipment and second network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.

Concrete, when the first receiver module 72 in this network equipment receive that second network equipment sends for after representing the negotiate response message that checking is not passed through, again negotiation request message is sent to second network equipment, do not carry in negotiation request message and consult mark, namely carry out existing standard I KE to consult, to ensure the compatibility of consulting standard I KE.

The network equipment that the present embodiment provides, to be sent to second network equipment by the first sending module 71 and carries the negotiation request message of self identification, when the mark of self identification and second network equipment is inconsistent, adopts standard I KE negotiation mode to set up tunnel; When consistent, by the second sending module 73 send carry the mark of the mark of multiple subnet informations at self place and multiple subnet informations at second network equipment place set up TUNNEL request message, and by multiple subnet information at self and second network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, making to set up wall scroll tunnel between two network equipments just can the multipair subnet at corresponding self and second network equipment place, decreases workload and the network traffics of network manager.

Fig. 8 is the structural representation of another embodiment of the network equipment of the present invention.As shown in Figure 8, the network equipment corresponding diagram 3 of the present embodiment or embodiment illustrated in fig. 4 in second network equipment, this network equipment specifically can comprise: the 3rd receiver module 81, first authentication module 82, the 3rd sending module 83, the 4th receiver module 84, second authentication module 85, the 4th sending module 86 and the second mapping block 87, wherein:

3rd receiver module 81, for receiving the negotiation request message that first network equipment sends, carry in negotiation request message and consult mark, consult mark and be used to indicate the tunnel correspondence multiple subnet at first network equipment place and multiple subnets at map network equipment place set up TUNNEL request message institute and ask to set up;

Concrete, first network equipment and this network equipment are respectively the initiator and responder that set up IPsec vpn tunneling, and the two can be gateway, or, one in the two is gateway, and another is mobile client etc., and concrete enforcement scene and device type do not make restriction at this.Wherein, the identification of the manufacturer that mark is specifically as follows first network equipment is consulted.

First authentication module 82, for verifying according to negotiation mark, obtains the first the result;

Concrete, the first authentication module 82 in this network equipment is resolved the negotiation request message that the 3rd receiver module 81 receives, obtain consulting mark, to consult the identification of the manufacturer being designated first network equipment, the identification of the manufacturer and the identification of the manufacturer of self of resolving the first network equipment obtained compare by the first authentication module 82 in this network equipment, when the two is consistent, the first the result obtained is verified for representing, when the two is inconsistent, the first the result obtained is for representing that checking is not passed through.

3rd sending module 83, for sending the negotiate response message to negotiation request message to first network equipment, carries the first the result in negotiate response message;

Concrete, when the identification of the manufacturer of the first network equipment carried in the negotiation request message that the 3rd receiver module 81 in this network equipment receives is consistent with the identification of the manufacturer of self, the 3rd sending module 83 in this network equipment sends for representing the negotiate response message be verified to first network equipment; Accordingly, when the identification of the manufacturer of the first network equipment carried in the negotiation request message that the 3rd receiver module 81 in this network equipment receives is inconsistent with the identification of the manufacturer of self, the 3rd sending module 83 in this network equipment sends for representing the negotiate response message that checking is not passed through to first network equipment.

4th receiver module 84, if represent for the first the result and be verified, what then receive the transmission of first network equipment sets up TUNNEL request message, set up in TUNNEL request message and carry the mark of first network equipment and the mark of the network equipment, the mark of first network equipment is for identifying multiple subnet informations at first network equipment place, and the mark of the network equipment is used for multiple subnet informations at marked network equipment place;

Concrete, the 3rd sending module 83 in this network equipment sends for after representing the negotiate response message that is verified to first network equipment, the 4th receiver module 84 in this network equipment receive first network equipment send set up TUNNEL request message, set up in TUNNEL request message the mark of mark and this pre-configured network equipment carrying first network equipment, on the one hand may be used for verifying the identity of first network equipment, may be used on the other hand identifying and need carry out by tunnel each subnet pair of communicating.Concrete, can comprise in the mark of first network equipment: multiple IP address field information at multiple subnet informations at first network equipment place, multiple IP address information at first network equipment place or first network equipment place, multiple subnet informations that the present embodiment comprises first network equipment place for the mark of first network equipment are described.Concrete, can comprise in the mark of first network equipment: the IP subnet address information of the number information of multiple subnets at first network equipment place, each subnet at first network equipment place and subnet mask information;

Accordingly, can comprise in the mark of this network equipment: multiple IP address field information at multiple subnet informations at this network equipment place, multiple IP address information at this network equipment place or this network equipment place, multiple subnet informations that the present embodiment comprises this network equipment place for the mark of this network equipment are described.Concrete, can comprise in the mark of this network equipment: the IP subnet address information of the number information of multiple subnets at this network equipment place, each subnet at this network equipment place and subnet mask information.Optionally, by the corresponding order of the information of each subnet at first network equipment place in the order of information of each subnet at this network equipment place in the mark of this network equipment and the mark of first network equipment, the corresponding relation of any one subnet of first network equipment and a subnet of this network equipment can be determined.Such as: the order of a pair subnet in the mark of this network equipment and the mark of first network equipment of needs communication can be consistent.

Second authentication module 85, for verifying according to the mark of first network equipment and the mark of the network equipment, obtains the second the result;

Concrete, the second authentication module 85 in this network equipment is resolved the TUNNEL request message of setting up that the 4th receiver module 84 receives, obtain the mark of first network equipment and the mark of this pre-configured network equipment, and will the mark of first network equipment and the mark of pre-configured second network equipment that obtain be resolved, mark and the mark of self of first network equipment pre-configured with self respectively compare, when two is all consistent to mark, the second the result obtained is for representing being verified first network equipment, consult successfully, when have a pair mark inconsistent or two all inconsistent to mark time, the second the result obtained does not pass through the checking of first network equipment for representing, fail to consultations.

4th sending module 86, for sending the response message setting up TUNNEL request message to first network equipment, carries the second the result in response message;

Concrete, what receive when the 4th receiver module 84 in this network equipment sets up the mark of the first network equipment carried in TUNNEL request message and the mark of this pre-configured network equipment, time all consistent between two with the mark of self pre-configured first network equipment and the mark of self, the 4th sending module 86 in this network equipment sends for representing the successful response message of negotiation to first network equipment; When have a pair mark inconsistent or two all inconsistent to mark time, the 4th sending module 86 in second network equipment sends for representing the response message of failing to consultations to first network equipment, and terminates to set up tunneling process.

Second mapping block 87, consults successfully if represent for the second the result, then by multiple subnet information at the network equipment and first network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map.

Concrete, when the second the result that the first authentication module 82 in this network equipment obtains for represent consult successfully time, the second mapping block 87 in this network equipment by multiple subnet information at self and first network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, realize wall scroll tunnel to should the multipair subnet at the network equipment and first network equipment place.

Further, 3rd sending module 83 can also be used for: after first network equipment sends the described negotiate response message to negotiation request message, if the first the result represents that checking is not passed through, then the network equipment and first network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.

Concrete, the 3rd sending module 83 in this network equipment is to after first network equipment sends and represents and verify the negotiate response message do not passed through, receive the negotiation request message that first network equipment resends, do not carry in negotiation request message and consult mark, namely carry out existing standard I KE to consult, to ensure the compatibility of consulting standard I KE.

The network equipment that the present embodiment provides, the negotiation request message of carrying the mark of first network equipment of first network equipment transmission is received by the 3rd receiver module 81, when the mark of self identification and first network equipment is inconsistent, standard I KE negotiation mode is adopted to set up tunnel; When consistent, by the 4th receiver module 84 receive first network equipment send the mark of multiple subnet informations at the first network equipment that carries place and the mark of multiple subnet informations at self place set up TUNNEL request message, and by multiple subnet information at self and first network equipment place with set up TUNNEL request message ask the mark in the tunnel set up to map, making to set up wall scroll tunnel between two network equipments just can the multipair subnet at corresponding self and first network equipment place, decreases workload and the network traffics of network manager.

Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims

1. set up the method in internet security Protocol virtual private network tunnel, it is characterized in that, comprising:

First network equipment sends negotiation request message to second network equipment, carry in described negotiation request message and consult mark, described negotiation mark is used to indicate the corresponding multiple subnet at described first network equipment place in tunnel and multiple subnets at corresponding described second network equipment place, and the tunnel of foundation is asked in described tunnel for setting up TUNNEL request message institute;

2. method according to claim 1, it is characterized in that, the mark of described first network equipment comprises: the IP subnet address information of the number information of multiple subnets at described first network equipment place, each subnet at described first network equipment place and subnet mask information;

The mark of described second network equipment comprises: the IP subnet address information of the number information of multiple subnets at described second network equipment place, each subnet at described second network equipment place and subnet mask information.

3. method according to claim 1 and 2, is characterized in that, described first network equipment also comprises after receiving the negotiate response message to described negotiation request message of described second network equipment transmission:

If described first the result represents that checking is not passed through, then described first network equipment and described second network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.

4. set up the method in internet security Protocol virtual private network tunnel, it is characterized in that, comprising:

Second network equipment receives the negotiation request message that first network equipment sends, carry in described negotiation request message and consult mark, described negotiation mark is used to indicate the corresponding multiple subnet at described first network equipment place in tunnel and multiple subnets at corresponding described second network equipment place, and the tunnel of foundation is asked in described tunnel for setting up TUNNEL request message institute;

Described second network equipment is verified according to the mark of the mark of described first network equipment and described second network equipment, obtains the second the result;

Described second network equipment sends the described response message setting up TUNNEL request message to described first network equipment, carries described second the result in described response message;

5. method according to claim 4, it is characterized in that, the mark of described first network equipment comprises: the IP subnet address information of the number information of multiple subnets at described first network equipment place, each subnet at described first network equipment place and subnet mask information;

6. the method according to claim 4 or 5, is characterized in that, described second network equipment, to after described first network equipment sends the negotiate response message to described negotiation request message, also comprises:

If described first the result represents that checking is not passed through, then described second network equipment and described first network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.

7. a network equipment, is characterized in that, comprising:

First sending module, for sending negotiation request message to second network equipment, carry in described negotiation request message and consult mark, described negotiation mark is used to indicate the corresponding multiple subnet at described network equipment place in tunnel and multiple subnets at corresponding described second network equipment place, and the tunnel of foundation is asked in described tunnel for setting up TUNNEL request message institute;

8. the network equipment according to claim 7, it is characterized in that, the mark of the described network equipment comprises: the IP subnet address information of the number information of multiple subnets at described network equipment place, each subnet at described network equipment place and subnet mask information;

9. the network equipment according to claim 7 or 8, is characterized in that, described first receiver module also for:

After receiving the described negotiate response message to described negotiation request message of described second network equipment transmission, if described first the result represents that checking is not passed through, then the described network equipment and described second network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.

10. a network equipment, is characterized in that, comprising:

3rd receiver module, for receiving the negotiation request message that first network equipment sends, carry in described negotiation request message and consult mark, described negotiation mark is used to indicate the corresponding multiple subnet at described first network equipment place in tunnel and multiple subnets at corresponding described network equipment place, and the tunnel of foundation is asked in described tunnel for setting up TUNNEL request message institute;

11. network equipments according to claim 10, it is characterized in that, the mark of described first network equipment comprises: the IP subnet address information of the number information of multiple subnets at described first network equipment place, each subnet at described first network equipment place and subnet mask information;

The mark of the described network equipment comprises: the IP subnet address information of the number information of multiple subnets at described network equipment place, each subnet at described network equipment place and subnet mask information.

12. network equipments according to claim 10 or 11, it is characterized in that, described 3rd sending module also for: after described first network equipment sends the described negotiate response message to described negotiation request message, if described first the result represents that checking is not passed through, then the described network equipment and described first network equipment adopt standard the Internet key management ike negotiation mode to set up tunnel.